Part of the goal of parameter placeholders is to avoid SQL injection. Does directly observing the model in your query string remove that possibility?